A law firm may be considered a service provider under the CCPA to the extent that a written contract between the law firm and its client (e.g., an engagement letter) prohibits the law firm from using, retaining, and disclosing personal information except to the extent permitted by the client. The CCPA only requires that a “business that collects a consumer’s personal information” provide a notice at collection.1 As a result, if a law firm is a service provider, it would not be required to provide a notice at collection to individuals from whom it is attempting to collect personal information.
If, on the other hand, a law firm is considered a business, it is possible that it is exempt from the requirement to provide a notice at collection. Specifically, businesses are exempt from any obligations under the CCPA to the extent that they “restrict a business’s ability to . . . exercise or defend legal claims.”2 A court might determine that requiring a law firm to provide a notice at collection restricts the law firm’s ability to exercise or defend legal claims on behalf of clients, or restricts clients ability to have their claims exercised or defended by the law firm.
Even if a law firm is not exempt from the obligation to provide a notice at collection, assuming that the opposing party is a California consumer a discovery request may implicitly satisfy the obligation to provide a notice at collection. Specifically, a notice at collection should include the following information:
- A list of the categories of personal information that will be collected;
- The business or commercial purpose for which the information is being collected;
- Information on how to opt-out of the sale of personal information (if information is being sold); and
- Information on how to find the company’s complete privacy notice.3
A discovery request (e.g., interrogatives, document requests, or a deposition request) specifies the type of personal information that is being sought, and implicit in the discovery request is that the information will be used within the context of the litigation. While a discovery request does not specify how an opposing party can opt out of the sale of their personal information, discovery and ethics rules often prevent a law firm from attempting to sell personal information received in discovery.4 While most discovery requests do not specifically indicate how an opposing party can find a law firm’s complete privacy notice, if an opposing party is represented by counsel it would be difficult to argue that opposing counsel would not know how to locate a law firm’s privacy notice to the extent that it is publicly posted online. The net result is that most, if not all, of the information required by a notice at collection may be contained in a discovery request itself.5
1 Cal. Civ. Code 1798.100(b) (Oct. 2020) (emphasis added).
2 Cal. Civ. Code 1798.145(a)(5).
3 CCPA Reg. 999.305(b)(1)-(4).
4 For example, ABA Model Rule of Professional Ethics 4.4(a) prohibits a lawyer from using any method of obtaining evidence that would “violate the legal rights” of a third party.
5 Note that as of January 1, 2023, a notice at collection would also need to include the “length of time” that the business intends to retain each category of personal information. Cal. Civ. Code 1798.100(a)(3). In the context of civil litigation, the length of time that information will be kept is often conveyed to the opposing party through other means such as a negotiated protective order that discusses the return or destruction of documents at the end of the litigation.